RE: [WIRELESS-LAN] WLAN Deployment-High number of users
We are a Brocade (OEM Meru) wireless shop and use MS IAS for radius. You can use the nas-ip-address attribute which is the IP of the controller and the called-station-id which in Meru/IAS land is the Mac of the controller:SSID (unlike Cisco per the posting below where it is the AP mac:SSID - I actually wish we could get the AP Mac). So you may be able to get the NASID either by one of these attributes + the SSID from the called-station-id using wildcard matching. If these are more like fat APs where it will always be the AP's IP or MAC (not the controller's) reported as the NAS then what about if putting all their management IPs into logical groups so you could wildcard match on a portion of the APs Mac? Just another thought. Hope this helps, Greg From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 22, 2009 3:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Thanks Mike and Lee, If I could somehow leverage the NASID and SSID as a name-couplet, this would provide the differentiation I need while making provisioning relatively simple (I don't want to have to resort to MAC addresses). The packet data pretty much reflects what I see in the RADIUS logs on the Cisco ACS. It's in the creating of the policy where the wireless rubber meets the road. Much appreciated guys, --Bruce Johnson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Friday, May 22, 2009 8:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It may be stating the obvious, but if you use AD, you can leverage attributes there to allow/restrict a range of network/WLAN functions... Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 22, 2009 7:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It all depends on: 1. Your Wireless AP / Wireless Controller Implementation 2. Your Radius Server's ability to use policies. Each Radius server returns different information in a RADIUS packet. The Cisco Controllers return the attributes of: CalledStationID 00-00-00-00-00-00:SSID(Where 00-00-00-00-00-00 is the AP's MAC, and SSID is the SSID they are connecting to) CallingStationID 00-00-00-00-00-00 (Where 00-00-00-00-00-00 is the MAC of the laptop) NASIPv4Address 0.0.0.0 (Where 0.0.0.0 is the IP of the Wireless LAN Controller NASIPv6Address - NASIdentifier Controller-Name(Where Controller-Name is the name of the controller as configured in the WebGUI) NASPortType Wireless - IEEE 802.11 NASPort 29 (The port number, I think with LAG ports, it's always 29) The second part of the question, is can your Radius Server deal with this information. I know IDEngines has the concept of policies. I know NPS (IAS for server 2008) also has policies, and I know know FreeRADIUS can pull of some cool matching features. NPS and IDEEngines allows you to create policies that match like firewall rules, and apply based on policy matches. I'm unsure if IAS on 2003 can do this. I'm not sure Steel belted Radius has this functionality. It didn't when I looked at it 4 years ago, but that is a very long time ago in a product lifecycle for a currently shipping product. Mike On Thu, May 21, 2009 at 8:06 PM, Johnson, Bruce T bjohns...@partners.org wrote: Jason et al, Following up on the earlier the two-SSID Nirvana (open and EAP-TLS) dialogue. We have a multi-controller/multi-campus environment. I'd love to have a single EAP-TLS SSID handle all devices/applications, several with unique walled-garden isolation requirements that would otherwise require their own SSID. How difficult is this to manage when you have to differentiate by controllers and campus-specific subnets? Can you combine attributes like NAS (controller) IP and device credentials to serve up locally-significant VLANs? Overall, has moving the administrative burden to RADIUS been a net gain in terms of RF cleanliness and client simplicity? Regards all, --Bruce Johnson From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users It wasn't particularly difficult and many attributes from login name, authenticator type, location, machine name, and snmp names can be used to differentiate
RE: [WIRELESS-LAN] Wireless network names
KSC_Guest - blusocket controlled, internet access only KSC_Student - no controls or encryption but dumps in behind our CCA so they have to log in there to get anywhere. Student primarily use this because of simplicity. KSC_Secure - WPA, 802.1x, required for fac/staff to access any on campus resources. Optional for students. If students select it our controller/radius arrangement puts them into the same vlan as the KSC_Student SSID so they also have to comply with CCA including the login. Very few students use it since it would require specific settings on their PC and two logins Couple other select ones for special applications. All begin with KSC_. So it seems we are nearly the same as you. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --If you don't have time to do it right, when will you have time to do it over? --Do not let what you cannot do interfere with what you can do. - John Wooden From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Nathan Hay Sent: Tuesday, March 31, 2009 3:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless network names We are trying to decide on some network names for our various networks and we are looking for input from other schools. Would anyone mind sharing their SSID names and a brief description of their target audience of devices/users? We are specifically interested in choosing a new name for our SSID that is primarily for smartphone/PDA/iPhone/iPod touch devices. Here's what we have currently: cedarwireless-guest: coffee shop type wireless with limited access, only in academic buildings cedarwireless-special: non-broadcast SSID for smartphone/PDA/iPhone/iPod touch and game consoles cedarwireless-unsecure: clear network with captive portal for laptops (students and others) cedarwireless-secure: WPA2-Enterprise network for laptops (students and others) Thanks, Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.edu http://www.cedarville.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] NAC polling: Wired AND Wireless
I would challenge the AD is NAC in and of itself statement also :-) AD is system access control, not network. Philippe - we are not nearly your size but are currently evaluating products to get to campuswide NAC. Currently CCA for students only. 2800 on campus, 5K total - we NAC students in the reshalls and all student wireless. Day one will just replace the current situation, but I hope to extend that somewhat next year. My intention is to head toward NACing every network access method for every port - wired ports, wireless, remote access. The policy and control is still to be discussed but for example, just because you use NAC doesn't mean you can't have guests, it just means that anonymous guests get X access, but the NAC can determine and enforce that at connect time for the given connection. Anyway someone at this past EDUCAUSE gave a great presentation on their methodology as they went through the project. Here is a link to the presentation materials. We used this info extensively in our evaluation thus far of the plethora of NAC products out there. http://connect.educause.edu/Library/Abstract/NetworkAdmissionControlAS/4 7521 _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --If you don't have time to do it right, when will you have time to do it over? --Do not let what you cannot do interfere with what you can do. - John Wooden -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Friday, March 06, 2009 11:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] NAC polling: Wired AND Wireless We are using Impulse on our entire primary wireless network, and wired in the dorms- and we're well into the thousands. For the admin side, we're sort of running with the notion that AD is NAC in and of itself, but that sometimes gets challenged... No wired 802.1x for us- I think personally I'd rather be poked in the eye with a stick, but it does get tossed around on occasion. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Friday, March 06, 2009 11:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] NAC polling: Wired AND Wireless All, UTK is in the midst of a network redesign. A big part of it involves Network Access Control. Is anyone out there with a comparable size campus, or bigger, (26,000 student, 5000 Fac/Staff), implementing a commercial NAC system for ALL users and all networks (Wired and Wireless). We are evaluating products. They work somewhat fine during the pilot (with major security holes ), but we have this really strong hunch that those products will not size well! Any input is welcome, (except sales pitch ;-) Thank you, Philippe Hanset Univ. of TN p.s.: Are you doing 802.1x on Wired? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] radius reporting
Nothing routine as it is fairly new to us but it can do qty users, qty connections in a period of time, access accepts, access rejects, I think if you set up accounting it can give accounting information. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Urrea, Nick Sent: Wednesday, February 25, 2009 12:15 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] radius reporting What kind of information do you poll in your reports? We currently have IAS setup on Windows 2003 server. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scholz, Greg Sent: Tuesday, February 24, 2009 11:10 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] radius reporting I've been using IASViewer for our IAS server. I am not sure if it works for 2008 version. I also don't know if it can send notices but it does allow for many report options. http://www.deepsoftware.com/iasviewer/ _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --If you don't have time to do it right, when will you have time to do it over? --Do not let what you cannot do interfere with what you can do. - John Wooden From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Tupker, Mike Sent: Tuesday, February 24, 2009 1:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] radius reporting We are using server 2008 network policy server for 802.1x authentication. I was wondering if anyone knows of any good reporting tools that can look at the MS radius logs and generate usage reports and or send notices when specific users sign on to the network? Currently I'm just been opening up the log files in notepad but that is getting a little annoying, especially with large log files. Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu http://help.mtmercy.edu . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] radius reporting
I've been using IASViewer for our IAS server. I am not sure if it works for 2008 version. I also don't know if it can send notices but it does allow for many report options. http://www.deepsoftware.com/iasviewer/ _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --If you don't have time to do it right, when will you have time to do it over? --Do not let what you cannot do interfere with what you can do. - John Wooden From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Tupker, Mike Sent: Tuesday, February 24, 2009 1:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] radius reporting We are using server 2008 network policy server for 802.1x authentication. I was wondering if anyone knows of any good reporting tools that can look at the MS radius logs and generate usage reports and or send notices when specific users sign on to the network? Currently I'm just been opening up the log files in notepad but that is getting a little annoying, especially with large log files. Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu http://help.mtmercy.edu . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Transitioning to dot1x
We don’t see this but have you checked the “support fast roaming” (or something like that) setting on the IAS and clients? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don’t have trouble getting folks configured and connected. Just after that we get complaints of ‘getting kicked off’ and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don’t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and restricted ACLs to make up for MAC filtering being weak. Daniel Bennett IT Security Analyst Security+ PA College of Technology One College Ave Williamsport PA 17701 (P) 570.329.4989 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lelio Fulgenzi Sent: Thursday, February 19, 2009 8:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x Last time I checked, Windows mobile didnt come with a dot1x supplicant (that worked). Do you require users to purchase their own supplicant or do you have a site license? Lelio Fulgenzi, Senior Analyst Computing Communications University of Guelph 519-824-4120 x56354 ...sent from my iPod - please pardon my fat fingers ;) [XKJ2000] On Feb 19, 2009, at 8:09 AM, Lee H Badman lhbad...@syr.edu wrote: Hi Bob- We’ve been doing dot1x now for a few years, and in my opinion people tend to struggle with: - What EAP type to use - What RADIUS server to use - How to get supplicants configured, and whether or not to support a variety of supplicants - What about AD machines over wireless We chose PEAP w/ MS-CHAPv2 because it’s well supported natively in both Windows and Mac machines. That being said- we had to say no more support for Windows 2000, 98, Me, etc. Same on Mac- a minimum OS was required. We avoided other EAP types that require a per-device cert, and officially only support the native Windows supplicant and native Mac supplicants for ease of support. We also chose to stick with our “classic” Cisco ACS 3.3.3 boxes- simply because we already had them, and they do a rock-solid job as well as provide decent logs (important). They also talk well with our AD credential store for user credential verification. We have found the ID Engines- now Cloudpath- supplicant configuration tool to be key to our success in that we can point users to a “help SSID” for initial client config, or self-remediation later if they hose their settings. Very powerful- but again, requires that users use Windows and Mac native supplicants and disable all of the ProSet, Broadcom, Toshiba, etc wireless utilities. We also provide basic settings in document form for advanced users that won’t give up their third party utilities, and for Linux/handheld users that we can’t auto-configure. Driver issues will manifest themselves more on a dot1x network- the rule of thumb is to keep them updated, or as a minimum, update before going to 1x. This often helps windows machines when nothing else will. On the Macintosh side, unfortunately it seems that even minor code updates can wreak havoc on the wireless driver and 1x utility- but once you get past whatever new curve ball Apple throws you, they work very reliably. As for AD machines on wireless- is a whole different ballgame. Officially, we do not support AD machines over our wireless networks, but if the machine name is the same as the userID, it will work in our environment. Then there’s loaner laptops… and NAC integration… and how to handle visitors on the network. All have solutions, but you may have to get creative. We have 2000+ APs, 12 WiSMs, and typically see 5,500-6,000 users at peak on our wireless networks daily. In the dorms (100% covered) wired usage has fallen to less than 20% of what it was 2 years ago, and has become mostly an “entertainment” network. -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services
RE: [WIRELESS-LAN] Transitioning to dot1x
One caution I would put out for any product that can do machine authentication is to realize that it means the supplicant is working prior to user interactive login and with access to system level credentials. And then does it change over to the users creds once they login interactively? One experience I had with this was about 5-6 years ago. The Cisco VPN client at the time (don't know if it still does) could be run before login. To accomplish this it replaced the MSGINA (the program that is the login box) so that that it could supersede it to allow the VPN client to interact with the user prior to the user proving credentials to the machine. I can't say that it caused us any issues but raised some concerns... 1) what if multiple things for whatever reason try to do this (replace the MSGina) what is the order of preference 2) potential bug and/or exploit in the process 3) making OS patches and updates and upgrades dependant on yet another piece of software that is probably very sensitive to OS changes FYI - the dell utility does allow a user to logon even if they don't have locally cached credentials as long as they have an AD account. You need to explicitly set it, but when setup properly the machine account does not authenticate but the user's credentials are somehow passed to the Dell utility to bring up the wireless under their credentials before the MSGina tries to log into the machine. Once the wireless is connected under the users creds, then the users credentials are sent through the MSGina like normal. Works pretty slick, but I wanted to use the machine credentials so our sys admins could manage the machine as long as it was on just like wired PCs. This is a case where I have found it simplest to just use the built in functionality and so far really the only problem I have seen is poor reporting to troubleshoot with. Luckily the only troubleshooting necessary was when we first got our 1x setup. Since then it has worked very well with machine credentials. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --If you don't have time to do it right, when will you have time to do it over? --Do not let what you cannot do interfere with what you can do. - John Wooden -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Oliver Gorwits Sent: Thursday, February 19, 2009 2:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Johnson, Bruce T wrote: One useful application with WZC-based PEAP is machine authentication for unattended devices that need to stay connected. I'm not sure any non-native supplicant supports this. I've not used the software, but the Open1X supplicant now mentions machine authentication as a feature, in their new release: http://open1x.sourceforge.net/ I hear good things about the software, which seems to be under active development. HTH, - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJnblj2NPq7pwWBt4RAhEIAKDmCu+BRg0q7Zq0KqAJ1vPdFSWRuACg0ynR q1OegU96m/HNF4+MSdyANh0= =nJrs -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wired/wireless business model question
We currently charge for each wired port and for each installed AP and maintain that the wireless is not a replacement for standard office connectivity. We know that eventually it could be but today all the support that goes along with a wired jack (imaging, remote control, PXE boot) is just not there yet on the wireless. So if we knew of anyone doing that we would tell them that to get support they have to move it back to wired. All our PCs are centrally managed. Our charge model: http://www.keene.edu/it/networksvs/chargeback.cfm Our wireless charge info: http://www.keene.edu/it/networksvs/wirelessbilling.cfm We are currently reviewing both how we provide these services and the appropriate funding model to ensure continued support and maintenance so it may look very different in the near future. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --If you don't have time to do it right, when will you have time to do it over? --Do not let what you cannot do interfere with what you can do. - John Wooden -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Tuesday, January 27, 2009 4:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] wired/wireless business model question Our current business model relies on charged for wired ports to fund wireless. A few months ago, we received from our Tech-Fee budget a special fund to upgrade the WLAN to 802.11n. Even with 802.11g, we already see departments moving away from wired ports to save a few bucks, or to save a percentage of a faculty position that may be cut otherwise. I cannot imagine the wave of disconnections that will follow the upgrade to 802.11n! Obviously this current business model is outdated, and needs a major revision. What are other schools doing? -IT fee per employee -Like European ISPs...X-Gigabytes/month/employee, excess are charged for. ... Thank you for your time, Philippe Hanset Univ. of TN ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] ceiling mounting APs
I like your idea for the rods suspended to below the mech equipment. Also, are you using cable tray? If so is it below the mech equipment and/or close enough to where you need the APs - if so, hang them from that. I don't necessarily like this idea but what about an antenna extension cable - leave the AP on the hard ceiling and extend the antenna to below the mech equipment. Wall mount around the perimeter should work as well and/or on some of the columns. Even with few walls I suspect the facility is not wider than could be covered. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jamie Savage Sent: Friday, January 23, 2009 1:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] ceiling mounting APs Hi, We have a new building currently under construction and we're looking at how best to mount our APs once the site surveys etc have been completed. This is an open concept building...ie...a few pillars but not too many walls. It is also the first building we have where there will be no drop ceiling.ieeverything's open up to the concrete slab ceiling (12' ceilings). The easy answer is to simply mount the APs to the slab but that would put them above the mechanical infrastructure...ie...ductwork, lighting, pipes etc. How have others deployed in such a situation. I foresee us mounting the APs on rods suspended from the concrete slab that would hang down to a length that puts the APs below the mechanical equipment. Other comments or suggestions? .thanks in advance.J James Savage York University Senior Communications Tech. 108 Steacie Building jsav...@yorku.ca4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5701M3J 1P3, CANADA ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Channel Selection on APs
In Meru you pick the channel but it uses a single channel across the entire SSID when in virtual cell mode, not per AP. (this is part of the special sauce that they got beat up for a while ago by other vendors implying they were breaking the standard) So we don't have to worry about overlapping channels or power settings. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Ken Connell Sent: Thursday, October 16, 2008 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Channel Selection on APs Aruba handles the RF (channel pwr levels) dynamically...one less worry... Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: Martin Jr., D. Michael [EMAIL PROTECTED] Date: Thursday, October 16, 2008 9:52 am Subject: [WIRELESS-LAN] Channel Selection on APs To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU In the past, we have always setup wireless access points to use channels 3, 6, and 11, since these channels are the non-overlapping channels. We have tried to be careful in spacing out APs and picking one of these three channels where it seems appropriate to prevent interference from one another. A question was posed by someone in my staff about using the least congested channel setting instead of going through all the trouble of determining and setting the channel. So, the questions are... 1. What are you other institutions doing about channel selection on your Access Points? 2. If you are using 3, 6, and 11, what is your strategy for use and what problems and/or successes have you seen? 3. If you are not using 3, 6, and 11, why not? What are you doing? And what problems and/or successes have you seen? Any input is appreciated. Thanks, D. Michael Martin, Jr. Network Administrator University of Montevallo ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Network Access Control
We had CCA for wired residential (e.g. students) access for a few years and recently applied it to the wireless. We have 3 wireless networks - the one for students now uses CCA. Our guest wireless does not have NAC but does challenge for email address (basically anonymous) but we restrict what can be done over the guest access to minimize risk and eliminate access to on campus resources. See rest below From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John Duran Sent: Thursday, September 11, 2008 10:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Network Access Control Good Morning All, Who is using NAC (Network Access Control) for wireless client authentication and posturing? 1)What solution did you select? a. CCA 2)How easily did it integrate with you existing infrastructure? a. Very easily, just added a corresponding VLan to CCA for the student wireless vlan/ssid 3)What is you existing infrastructure and wireless solution? a. We use Foundry wired and wireless (wireless is rebranded Meru) 4)How well has it performed? a. Very well since it was already in use for a few years on the wired 5)If you had to do it again would you select the same product? a. Yes - from the perspective of using the same solution for wired and wireless - but if/when we move from CCA it would be for both wired and wireless to keep them the same 6)What were the success and failures of the deployment? a. success - simplicity/familiarity, failure - nothing - see 4 5 above 7)What was the impact on your technical staff to prepare for deployment? a. Nearly nothing - see 4, 5, 6 above 8)How well does it scale? a. As well as CCA scales which is why we are considering moving from CCA for all our nac 9) How are the management tools and maintenance for the solution? Thank a million, John V. Duran University of New Mexico Network Engineer ITS/Network Communications/Data Services Ph: (505) 249-7890 Fax: (505) 277-8101 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Router Policy
I misspoke the first time. We did not find it in syslog. At this time we can't determine if it is in syslog or the web manager's event log but we stumbled on it in the CAS logs. You would think that since Strict layer 2 is a configurable feature one should be able to view whether or not it is happening in reasonably accessible logs. Thanks Cisco. You can find it on each CAS: go to cd /perfigo/logs directory then look at perfigo-redirect-log0.log.0 file At this point if you grep for NAT you'll see the following entries .. Ex; [EMAIL PROTECTED] logs]# grep NAT perfigo-redirect-log0.log.0 Example: Aug 31, 2008 8:52:09 AM com.perfigo.wlan.web.Util logEvent SEVERE: Possible NAT/Router in path User IP 158.65.scrubbed, User Name scrubbed, Router MAC 00:17:3F:F3:37:81, User MAC 00:14:A5:AE:74:E6,00:16:D4:0E:83:65 Hope it helps, Greg -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Walt Howd Sent: Friday, September 05, 2008 10:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Router Policy Greg - Can you detail where this information is stored on CCA layer 2 mismatches? Can you access it via the CAM's web interface in the Event logs section, or do you need to be logging to an external syslog server? Thanks. Walt On Sep 5, 2008, at 8:35 AM, Scholz, Greg wrote: CCA has had some level of NAT restriction and what they call strict L2 whereby the server checks the MAC in the header of the users authentication/assessment packet against the MAC reported by the CCA client written in the payload of the authentication packet. If the MAC of the header is different than the MAC in the payload it is restricted from getting on. There are 2 problems with this. 1) many consumer grade routers/wireless units clone the first mac/ip that go through it so the unauthorized device looks just like the computer and it is allowed through. 2) when it does clone that first device and they work fine, what happens to the unsuspecting next door neighbor who's wireless card finds the offenders router and attempts to go through it? Even though it is imperfect we are still using this feature and finding mixed results. Most importantly though the syslogs (not the gui logs) do show when the event occurs with a fairly detailed entry of what the packet looked like (e.g. header mac and all client reported macs) so we can find them on the network. Greg -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Mark Berman Sent: Friday, September 05, 2008 7:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Router Policy This is basically our position as well. The prohibition is in our Computing Ethics and Responsibilities policy, which, along with the Privacy Policy constitute our AUP. The wording is in the section on tampering and says: You may not modify residential computing network services or wiring or extend those beyond the area of their intended use. This applies to all network wiring, hardware, and cluster and in-room jacks. Gateways and firewalls designed for home use, such as Cable/DSL routers and Wireless Access Points, can disrupt the normal operation of the Williams network and are not allowed. A recent upgrade of our Impulse Point policy enforcement appliance gave us the ability to locate and automatically shut down NAT gateways and we're about to turn that function on. - Mark -- Mark Berman, Director for Networks Systems Williams College, Office for Information Technology *** Please consider the environment before printing this message -Original Message- From: Tony Fellows [mailto:[EMAIL PROTECTED] Sent: Thursday, September 04, 2008 10:58 AM Subject: Re: Wireless Router Policy Hi, I picked up on this issue because some years ago, I too had a problem with our small university college and the reluctance of management to prohibit rogue device connectivity to the central network. So rather than create a new policy I modified the AUP (acceptable Use Policy) - which every student and staff member signs up to (electronically) each new academic year. I submitted clauses in the policy banning any device from being connected to the central network - which isn't the property of the university - which hasn't been vetted for use - or which is deemed unsuitable by IT Services staff. It is pointed out that disciplinary action will be taken if any device is found to be illegally connected. To support these clauses - the security and integrity of the network was the main mission. To manage data traffic and ensure a level of bandwidth throttling which is sustainable for all users and services. I think a previous contributor from Georgia State - Charles - was spot on when he implied that without
RE: [WIRELESS-LAN] Roque AP's
Any idea if these types of devices may allow computers to connect to them as ad-hocs? In effect black-holing them? _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Monday, August 25, 2008 10:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Roque AP's Just that they show up overpowered, all over the place for channels... Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Chris Murphy Sent: Monday, August 25, 2008 10:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Roque AP's Is there some particular issue you have with devices like the Airport? Given it's 802.11 based and doesn't need to run in AP mode when used to stream audio, is there some other problem you're seeing? -Chris Murphy On 8/25/08 8:40 AM, Peter P Morrissey [EMAIL PROTECTED] wrote: Thanks Mike. We have SafeConnect. The difference is we allow wired routers to make games, Tivo's, Clingboxes easier. I know SafeConnect does a pretty good job ID'ng a lot of the games, but how do you deal with Tivo's, Slingboxes, IP Phones etc? The other challenge we're having is that we are seeing wireless devices that don't use the wired Ethernet. Today we had someone with an AirPort using them strictly for their wireless speakers. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Mike Binns Sent: Monday, August 25, 2008 8:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Roque AP's Our NAC system, Impulse SafeConnect, detects rogue AP's by using what they call NAT Detection. If the gateway of the students computer does not match the gateway of the network, their IP (external one of the rogue router/AP) gets blocked with a message stating the following: = You are connected to the network through an unapproved device To connect to the Gordon college network, you must plug directly into the network through the port in your room, or be connected to the official campus wireless network. The official Gordon wireless networks include: = The students see this message, and learn that the devices are not allowed (and don't work), they then unplug them, getting rid of the rogue wireless signal. This has eliminated not only wireless rogues, but wired routers (which we also prohibit). -Mike From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Peter P Morrissey Sent: Saturday, August 23, 2008 8:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Roque AP's Has anyone had any success dealing with Rogue AP's? Is anyone else seeing a lot of them this year? We have 100% coverage in the dorms, and advertise this. We also constantly tell people not to put up rogues, but it is very challenging to control the rogues in our dorms. Pete Morrissey Syracuse University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Roque AP's
We have seen the problem as well and don't have a definitive answer. However, we are a Meru/Foundry wireless shop and there is built in rouge detection/mitigation and are in discussion on implementing. I think most controller based solutions have features/options like this. and there are 3rd party platforms designed specifically for it. I don't think any of the solutions are fully mature yet so you probably have to come up with a creative combination solution NAC/network port security/wireless rouge detection/etc From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Peter P Morrissey Sent: Saturday, August 23, 2008 8:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Roque AP's Has anyone had any success dealing with Rogue AP's? Is anyone else seeing a lot of them this year? We have 100% coverage in the dorms, and advertise this. We also constantly tell people not to put up rogues, but it is very challenging to control the rogues in our dorms. Pete Morrissey Syracuse University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Logging into a Active Directory domain via wireless 802.1x
If the machine is domained and you check the box Authenticate as computer when computer information is available in the SSID setup under the Authentication tab then on boot up the computer account will be used to log in providing you allow it in your radius config. Our radius is a Microsoft IAS box that is a member of the domain and I specifically allow DOMAIN\Domain users and DOMAIN\Domain Computers and it works great. You can watch at boot up an IAS event log entry for the computer logging in and then after a user logs in there is a new entry from that same client machine for the specific user. Hope it helps. Greg From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Youngquist, Jason R. Sent: Monday, July 21, 2008 2:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Logging into a Active Directory domain via wireless 802.1x We have several kiosk computers setup in our Student Commons area, and they are accessing the Internet wirelessly. What I'd like to be able to do is join the computers to a domain and then have the students login with their Active Directory credentials. We will also be configuring the computers to use 802.1x over wireless. From what I've googled, wireless doesn't appear to be setup until a person logs into the computer. Is there any way to accomplish this? Thanks. Jason Youngquist Network Engineer - Security Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 [EMAIL PROTECTED] http://www.ccis.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] NAT in large scale wireless networks
Stan, Can you tell me what type of location information you get and from what log? 802.1x/WPA-Enterprise, so we have usernames and locations in our logs We are trying to figure out if there is a way to determine what APs user are/have been on but all we have seen in the radius logs is the controller as the NAS. Thanks, Greg -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan Sent: Wednesday, July 02, 2008 6:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] NAT in large scale wireless networks Mike, We, too, are an Aruba shop, and have been doing NAT on our academic and ResNet wireless networks for about a year now. Two years ago, we ran out of IP addresses on our wireless network on Move-In Weekend and had to scramble to add additional subnets - a scarce commodity here at Emory. To prevent that from happening last year, we implemented NAT for our wireless clients and now have plenty of address space for our growing user base. We let the Aruba controllers perform the NAT function (very easy to set up - just a firewall rule in the user role in the Aruba config). We've not had any complaints from users regarding NAT issues; we were concerned that it might break some apps, but no problems have been observed or reported. We've even got our homegrown NAC (NetReg/CAT) working over the wireless, too - NetReg DHCP traffic is not NAT'ed, but all other traffic is. This all works great, thanks to the Aruba capabilities. The only issue we've had with NAT have been voiced by Philippe - DCMA notices are hard to isolate. Our wired network has some protection in place to identify and reduce peer-to-peer traffic (Tipping Points), so we don't generally get a lot of notices. User tracking and RF location still works well as those are functions of the radio and authentication subsystems. Our academic users log on using 802.1x/WPA-Enterprise, so we have usernames and locations in our logs. Connecting those usernames to the NAT pool IP addresses is the hard part. I'd be happy to share some basic configuration tips and tricks regarding NAT with you off-list, or on-list if other s are interested. BTW - We've been NAT'ing our guest access users since day one on the Aruba equipment. Guests log in through the captive portal and are given limited access - bandwidth limited web access and VPN access back to their home organizations. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: [EMAIL PROTECTED] GoogleTalk: [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Dickson Sent: Tuesday, July 01, 2008 9:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] NAT in large scale wireless networks Though we currently have enough available routed IP space for our wireless clients we are looking toward the future and wondering if NAT-ing the wireless network makes sense. Does anyone have any experiences, good or bad, using NAT for the wireless client pool in a large scale environment? What features go away (i.e. RFID or user tracking, etc.) Are there any gotchas? We're an Aruba shop and expect about 3000+ wireless clients this semester and have been adding more APs by the week. Thanks, Mike *** Michael Dickson Phone: 413-545-9639 Network Analyst [EMAIL PROTECTED] University of Massachusetts Network Systems and Services *** ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] User Tracking with IAS
Sorry, no experience with any of them yet but I recently stumbled on some options when I was troubleshooting IAS. Just google IAS log file format or IAS logging. You get some technet articles but also other solutions for parsing/reporting from the IAS logs. Thanks, Greg From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Urrea, Nick Sent: Tuesday, June 24, 2008 2:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] User Tracking with IAS I am looking for a solution to perform user tracking using an IAS server. We will be rolling out WPA2/802.1x this summer and I would like to do user tracking. I would like to poll all the user logins/logoffs into a database/application. Any ideas of software/solutions? Nicholas Urrea Information Technology UC Hastings College of the Law [EMAIL PROTECTED] x4718 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless authentication for guests/visitors - something along the lines of hotel gatekeeper?
A response like this may spur a flurry of disagreement but here goes... We blocked all P2P apps using all available technology last year and have not received a single DMCA notice since (knock on wood). We blocked using our checkpoint firewall and packeteer packet shaper in both directions. So...in your case, even if you can't or won't block carte blanche like this I suggest somehow setting up a ssid/vlan/security profile or whatever for these types of users and do not let them do anything except minimal connectivity to the web. (e.g. http, https, dns, IPSec) Due to CALEA and other related mandates I think (i.e. in my opinion) the trend even on campuses is going toward anonymous guest access either being non-existent or having minimal allowed services and sponsored or authenticated guest access being used for cases where people need/want more access. And along with our block we highly prompted our exception policy that allows exceptions for just about any justified activity...we got TWO requests and both of which found other ways to get what they needed before we had their exception in place. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Braden Sent: Thursday, June 05, 2008 1:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless authentication for guests/visitors - something along the lines of hotel gatekeeper? First, let me apologize for my naivete. I had planned to subscribe and lurk a bit to come up to speed but my exposure requires I move a little faster. We recently have heard from the RIAA regarding copyrighted content at one of our conference centers. These centers are used for short periods by customers who are there for training. They generally bring their own resources which might have various peer-to-peer clients and the associated content. Theses customers are not required to 'register' or authenticate. They are given the key to our wireless SSID and allowed to access the network. The more rapid response of the copyright enforcement organizations to identify content has necessitated the need for some type of authentication/registration for these connections. Can someone offer some suggestions on how best to manage these connections? If that involves purchasing a specific wireless router to direct the session to at the time of the IP being issued please indicate which vendors or models those are. It would be nice to have a open source solution that could be installed on a PC and do monitoring for the traffic but that is not a high priority. We really dont need to block it (because it could be authorized). Only make sure we can identify where the content resides and determine a proper response. Anything you could offer would put me in a better position than I am now - thanks. Jimmy C Braden Information Security Officer Extension Information Technology Texas AgriLife Extension Service 979-862-7254 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA
Based on your description it sounds like a server config issue not a client issue. (we are currently dealing with EAP/802.1x configuration as well). Your event log entry the Extensible Authentication Protocol (EAP) Type cannot be processed by the server indicates it is getting an EAP request, just not of a type you have setup on the server. I am unfamiliar with 2008 policy server but in 2003 IAS you need to click EAP Types and ensure you have EAP configured right and to use a WLan type certificate. Does your config work for EAP for any clients right now? _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Friday, May 30, 2008 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA The Odyssey Client worked great! Does anyone have a reseller they use for this? The list price is $50 per license but I am hoping to get better prices being education. Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jason Appah Sent: Friday, May 30, 2008 11:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA I have only used it as a part of windows mobile 5 on Intermec scanners and touch screen devices, so I admit, I've only used it as a pre-installation. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Friday, May 30, 2008 8:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA I have found Odyssey to be great on iPAQs and such that had it packaged as part of the original software build that shipped with the device, but less than 50% effective/reliable as an add-on to other hand-helds. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jason Appah Sent: Friday, May 30, 2008 11:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Most Windows Mobile 6 devices do WPA2 and 802.1x but a better client to use would be Funk, (now juniper) odyssey client... http://www.juniper.net/products_and_services/aaa_and_802_1x/odyssey/inde x.html -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Friday, May 30, 2008 7:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Does anyone know a thirdy party piece of software that will allow me to connect Windows Mobile 5 or 6 to our WPA2 with 802.1x using PEAP wireless network? We don't use personal certificates for authentication, only a username and password. We are using Windows 2008 Network Policy Servers as our radius server. Below is an event log entry. We can get the PDA connected, it transmits the username and password but the EAP isn't working. I have tried enabling all EAP protocols and all encryption options and I still get the EAP error below. Any help? Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID:xx\xx Account Name: xx\xx Account Domain: xx Fully Qualified Account Name: xx\xx Client Machine: Security ID:NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 00-18-74-F8-4D-F0:ssid Calling Station Identifier: 00-1A-6B-93-62-ED NAS: NAS IPv4 Address: 10.x.x.x NAS IPv6 Address: - NAS Identifier: WiSM-B NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 29 RADIUS Client: Client Friendly Name: WiSM2 Client IP Address: 10.x.x.x Authentication Details: Proxy Policy Name: Authenticate pct.edu Users Network Policy Name:Employee Wireless Policy Authentication Provider:Windows Authentication Server: NPS2.pct.edu Authentication Type:EAP EAP Type: - Account Session Identifier:
RE: [WIRELESS-LAN] Adding wireless without losing the jacks?
We also have a per jack funding model and I had the same concern as wireless was being requested more and more. We wrote a procedure for how to obtain wireless for you area and coupled a charge to it. We specifically state that wireless is not supported on our campus as a replacement to standard office wired jacks. Entire charge back model: http://www.keene.edu/it/networksvs/chargeback.cfm Wireless: http://www.keene.edu/it/networksvs/wirelessbilling.cfm I personally believe that a wireless network can be built to replace the wired jacks. However, it would be bigger and much more complicated than anything we are willing and able to undertake at this time. That being said if you already have a substantially secure and robust wireless network (and a great billing system) maybe it is time to consider charging per connected device rather than the actual jack. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Michael Dickson [mailto:[EMAIL PROTECTED] Sent: Thursday, December 27, 2007 1:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Adding wireless without losing the jacks? Wondering if others face a similar situation and what they are doing about it. In short, what is *wireless* used for and what is *wired* used for and how are the intended uses enforced? We currently have a funding model that includes a per-jack monthly charge for wired users. As we add wireless coverage to these traditionally wired floors we are faced with the potential of canceled jacks and a migration to wireless. If other schools have a similar funding model, how have you dealt with this issue? How are other schools dealing with a wireless overlay in traditionally fully wired areas with respect to migration onto wireless? Is migration away from the jacks desired? Is it suppressed through policy restrictions? What has worked for ensuring the wired infrastructure is still used? Just saying stay on the jack for better performance and security doesn't appear to be enough. In IT we often discuss the need to upgrade older Cat3 jacks to the newest cabling, as well as install wireless coverage in the same areas. These two efforts seem at odds with each other and appears financially risky to management. How are schools achieving harmony in a mixed wired/wireless world? Thanks, Mike --- Michael Dickson Network Analyst University of Massachusetts Amherst Network Systems and Services [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Controlling Encrypted p2p
We use our shaper and firewall to block any P2P protocols that they can determine. So the encrypted P2P problem tends to not be that it can't be seen at all, just that the data channel is encrypted - block the session channel and the data channel will never be established - kind of like the data channel on FTP. If you try to regulate it you will slow down session creation but once the sessions are created they will have ample bandwidth that is not controllable...at least that is what we determined prior to blocking altogether. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: George Rogato [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 23, 2007 3:18 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Controlling Encrypted p2p How is everyone controlling encrypted p2p traffic? Thanks George ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wifi Location based Access Control
We recently started deploying Foundry Network wireless solution which is an OEM Meru. The product is called Location Manager and it is supposed to do exactly what you are asking. Ironically though I think the Location Manager piece was originally Foundry's for their thick AP models and OEMed it back to Meru for their thin APs. Currently Location Manager for Mobility Series (Foundry/Meru thin APs) is in Beta and is definitely still a Beta. It shows promise though. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) From: Jamie Savage [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 09, 2007 2:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wifi Location based Access Control I recently sat through a Meru presentation where they discussed the fact that they could do this. I believe it works by comparing triangulated client locations to your CAD floorplans.you might want to check with them. However, it sounds like you're not looking to replace all of your wireless infrastructure (ie.I think you'd need to use all Meru hardware to use this solution) J James Savage York University Senior Communications Tech. 108 Steacie Building [EMAIL PROTECTED]4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5701M3J 1P3, CANADA Urrea, Nick [EMAIL PROTECTED] 10/09/2007 02:07 PM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject [WIRELESS-LAN] Wifi Location based Access Control We at UC Hastings are looking for a solution to create physicall boundries inside our wifi network. We would like to shut out the Students from using our wifi network in our classrooms but not in study areas. Our buildings are located in downtown SF and have study areas located next to classrooms NewBerryNetworks has a product that does wifi location based Access Control. If a client is found to be located in an area that we don't want the client to have access to the wifi network the client is blocked at the proxy or Authentication firewall. Does anybody know of any solutions besides NewberryNetworks for locking students out of classrooms that doesn't involve scheduling? We have already looked at a scheduling solutions to deny access. Nicholas Urrea IT Support Specialist UC Hastings College of the Law [EMAIL PROTECTED] x4718 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Rogue DHCP on wireless network
Should be easily accomplished by putting filters (ACLs) on the APs themselves. I know in the aironet 350 days this was possible. Block bootpserver inbound on the radio side. In fact while you're at it you may as well block bootpclient outbound on the radio side so that your legitimate bootpclient broadcasts don't go out the radio saving a little bandwidth. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Fred Archibald [mailto:[EMAIL PROTECTED] Sent: Thursday, August 30, 2007 11:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Rogue DHCP on wireless network Ryan, In our Cisco/Airespace environment, on each WLAN, we set the DHCP address assignment to required. This forces the controller to only allow traffic to be forwarded for clients that obtained their DHCP lease from a DHCP server that is behind the controller on our wired infrastructure. This feature has worked very well for us in EECS. I believe this will work for you. Fred Ryan Lininger wrote: I have been having some issues recently with DHCP on the wireless network. It really has been misconfigured laptops running internet connection sharing so far (notion malicious) but we have been experiencing outages because of it. We are a Cisco Switched environment but our wireless network is a Cisco and 5G network with a bluesocket captive portal. I have DHCP snooping running on all the switches in our environment that can run it but that is the only way that I have been able to battle this issue. Everything else is manually hunt done the culprit and meet with them to fix their machine. I would like to know how others have been battling the problem of rogue systems serving DHCP on their wireless network? I wouldn't mind hearing how people have battled this problem on the wired network either (these solutions may port over). Any help is appreciated. Ryan. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] ARP floods with Cisco APs - could this be the bug?
According to the network world article they run both. Most of the W LAN is comprised of Cisco thin access points and controllers. Some older autonomous Cisco Aironet access points tend to uncover the flooding first, since they try to resolve the ARP request themselves. http://www.networkworld.com/news/2007/071607-duke-iphone.html?page=2 _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Michael Kaegler [mailto:[EMAIL PROTECTED] Sent: Monday, July 23, 2007 3:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ARP floods with Cisco APs - could this be the bug? At 1:00 PM -0500 7/23/07, Frank Bulk wrote: Joe: No, I don't think so, as this relates to the IOS versions of Cisco's product, and it's my understanding that Duke uses the LWAPP configuration. At 5:35 PM -0400 7/13/07, Kevin Miller wrote: For the last week or so, we have seen some unusual problems with our autonomous (cisco) APs. According to Duke, Duke runs autonomous cisco APs. I haven't seen anyone with a Cisco BugID, and some quick toolkit surfing doesn't raise any suspects, which means they're probably keeping it under wraps. Kevin's sure been...quiet. poke, poke :) -porkchop -- Michael Porkchop Kaegler, Sr. Network Analyst (845) 575-3061 Marist College, Poughkeepsie, NY ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Wireless only dorms
Some pointed questions stemming from recent list serve discussions. * Do you have any residence halls where you do not provide wired network and have only wireless networking for residents? * If so, how many? * How many students per building? * Why did you choose this? * ANY gotcha's you can think of or support issues you ran up against? (e.g. where do I plug in my game box?) We are leaning toward making an existing residence hall wireless only. The wire is cost prohibitive to replace in this particular facility. 9 building complex, 50 students per building, wood construction, 3 floors per building. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] microcell vs virtual cell
I am also interested in anything you find. -Original Message- From: Steve Fletty [mailto:[EMAIL PROTECTED] Sent: Friday, April 06, 2007 3:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] microcell vs virtual cell Is there any scholarly or technical data/analyis of the single-channel virtual cell architecture vs the traditional micro-cell WIFI achitecture? I don't want to hear from vendors. I don't want bake-off results or vendor white papers. I'd like to know if there's any hard science comparing the two contrasting schemes. -- Steve Fletty Network Design Engineer University of Minnesota ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Highrise dorm RF design
For such a large deployment I would be putting pressure on a manufacture AND reseller to give a guaranteed design. You also may find slightly (or substantially) different designs depending on manufacturer as well. You did not mention if you have a preferred manufacture yet. _ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 --Seek first to understand, and then to be understood. (Steven Covey) -Original Message- From: Karl Reuss [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 27, 2007 9:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Highrise dorm RF design We're getting ready to expand our campus wireless coverage into the dorms; full coverage for 12,000 students over the next year. The recent dorm discussions here have been very helpful. I'm wondering if anyone has experience with dense AP deployments in traditional high-rise dorms. About half of our students live in these monsters. 8 floors, 250' straight hallway down the middle of each, rooms on either side, block walls, 70 users per floor. Sort of like prison cells:) Our field guys and residential facilities folks would rather not put the APs in student rooms, which basically just leaves the hallways. I'm worried about co-channel interference on the b/g side. 6 or 7 APs down a hallway in clear sight of each other will surely step on each other. Loss through the floors only seems to be 10db, which means we need to watch the vertical as well. Dropping power would only help a little, and at the expense of room penetration. External patch antennas are one idea were looking at. If anyone has any experience or advice in this area they could share, I would be grateful! Thanks, -Karl Reuss University of Maryland, College Park ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] What about WLAN in the Dorms?
I was about to say the same. It is an easy out to state only approved devices area allowed to be connected to the network and exclude any type of routing/switching/network device and/or any type of multi-homed device. http://www.keene.edu/it/security/connect.cfm _ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 --Seek first to understand, and then to be understood. (Steven Covey) -Original Message- From: Cal Frye [mailto:[EMAIL PROTECTED] Sent: Saturday, March 17, 2007 9:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] What about WLAN in the Dorms? Frank Bulk wrote: Charles: You brought up OTARD, so I can help but ask: what was the line of reasoning your legal office followed to come up with the policy that you reserve the right to limit the use of non-wireless Andrew 2.4 GHz devices? Of course, not too many of these devices are useful if they can't be plugged in or connected to our network or phone lines, and we do restrict what appliances can be used in the residence halls. -- Regards, -- Cal Frye, Network Administrator, Oberlin College www.calfrye.com, www.pitalabs.com Sell not virtue to purchase wealth, nor Liberty to purchase power. -- Benjamin Franklin. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless guest access
Very timely. I am about to launch a project called public port security and guest access that will attempt to define exactly this. I would like to hear all other responses as well. (I suggest if you are considering Wireless guests, you should be considering wired as well) * Currently we have NO guest access on wireless. * We recently changed all our public lab computers to use AD authentication (e.g. no more public/guest access) * We use CCA in reshalls and enable the guest button JUST FOR THE SUMMER (for all the conferences/camps we have during that time) so effectively no guest access except for summer * The ONLY real guest access we have right now is any network port in a publicly accessible location can be used by anyone without any type of check. (These are the public ports referred to in my project title above). INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their own. * We will attempt to balance the tremendous desire for wireless wired guest access, CALEA, security and manageability. I am thinking we may wind up with a 1x solution to determine appropriate port settings (security/vlan/etc) based on recognition of user, computer, or both and then computer health for non-campus managed computers. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 Kevin Lanning [EMAIL PROTECTED] 2/26/2007 12:46:48 PM Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast
In order to keep things simple I usually try to favor educating users on the automatic built in kind of utilities (WZC) rather than having to teach them how to shut off the built in stuff and then dabble in the plethora of 3rd party versions available. But the problem in this case is that in my experience MS's utility is far inferior. Also, almost all laptops come with their own wireless utility that, although different from every vendor, works generally the same and allows selecting of exactly what the user wants VERY consistently (once the hidden SSID is manually configured). (i.e. the 3rd party one tends to do what you want) So this is one scenario where support may actually be easier by suggesting/pushing that the users use whatever utility is specific to their card rather than trying to get everyone on the same one where you can be an expert. Your support calls may be more varied, but they should be fewer and easier. My .02 _ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Kevin Miller [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 12:12 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast From observations and discussion with others, it seems that that wireless zero config on windows favors broadcast SSIDs... You may notice that sporadically it will connect to the broadcast one even if you've configured the non-broadcast with higher priority. -Kevin Jim Gogan wrote: Quick question: has anyone run into any support issues when some SSIDs are broadcast and some aren't on a campus? -- Jim Gogan ITS Telecommunications University of North Carolina at Chapel Hill ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast
Thanks all for clarifying. I guess I was remembering back to when Cisco first came out with multiple vlan/ssid pairs. And our currently installed Proxim/Orinoco APs allow multiple vlan/ssid pairs but only one can be set to broadcast. Since it sounds like now almost everyone can do multiple vlan/ssid pairs AND broadcast for all of them, I will be looking at that as a feature at our upcoming upgrade. _ Thanks, Greg 8-2070 -Original Message- From: Frank Bulk [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 4:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast Thanks, Stan, for clarifying. Perhaps I presume, too quickly, that most schools use enterprise-class APs or switch/controller-based systems where such functionality and support for multiple BSSIDs are standard. =) Depending on the system, there is always support for a 1:1 mapping of SSIDs to VLANs, but most support a 1 to many and many to 1 mapping, too, although it can be less than straight-forward. Regards, Frank -Original Message- From: Stan Brooks [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 2:35 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast Greg, What Frank was alluding to was the ability of some APs and most WLAN switch/controller-based systems to support multiple SSIDs - also called Virtual WLANs. To get consistent and acceptable client connectivity, the APs/WLAN controllers should support unique BSSIDs (wireless MAC addresses) for each SSID. At Emory, we are using Aruba equipment quite successfully to present multiple SSIDs for guest access and WPA/WPA2. Each SSID gets mapped to a specific VLAN and has different authentication and access rights. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] Original Message From: Scholz, Greg Date: 7/10/2006 3:15 PM I am surprised no one has brought up the issue of only being able to broadcast one SSID. What do you do if you need/want more than one. We currently only have one and Franks comment makes sense in that scenario. However, assuming that we can only broadcast one, how do you differentiate wireless if needed? What I am hoping to achieve in the near future is 3 classes of service (Fac/Staff, Student, and guest). (note: we use CCA for reshalls here) Fac/staff can use their campus owned laptop and will be able to pass right over to a VPN to get into the network. CCA can exempt devices we choose (e.g. campus run laptops) Students can use their same CCA credentials to log in and use the wireless in exactly the same manner as in the res halls. This will give them a more consistent experience. Guests will only be able to click guest in CCA and get 80 (maybe 443 and IPSec - do not know yet) out to the world. If a student selects the Fac/Staff SSID they would fail the login so could not go anywhere and the same is true if a Fac/Staff selects the student SSID. _ Thanks, Greg 358-2070 -Original Message- From: Frank Bulk [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 2:51 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast In an educational network where you're not try to leverage (erroneously) the SSID as a security tool you might as well just broadcast the SSID and make life easier for all the mobile clients involved -- why not? Frank -Original Message- From: Jorge Bodden [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 8:22 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast Jim, Yes, I have run into one particular problem when an SSID is not broadcast. We call it a 'code 18, where the problem is 18 inches away from the monitor. :-) I have found that it is quite difficult for people who do not have some experience with wireless, to set up their wireless devices when an SSID is not being broadcast. You may be asking too much from the general public to force their device to search for the SSID. If the SSID is going to be used by the general then you might want to broadcast it, in order to minimize the calls to your helpdesk. Jorge Jim Gogan wrote: Quick question: has anyone run into any support issues when some SSIDs are broadcast and some aren't on a campus? -- Jim Gogan ITS Telecommunications University of North Carolina at Chapel Hill ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This electronic message is intended to be for the use only of the named recipient, and may contain
RE: [WIRELESS-LAN] Theories on a massive problem on our WLAN?
Not including crushing the regular Ethernet switches (3500's) I have seen Cisco APs do some thing similar to what you are speculating. This was pre-IOS and Cisco confirmed what we saw but never fixed the issue directly in the VxWorks because they claimed the IOS version would not have it. I left that job before we did this so I do not know the result. So with all that caveat, here is what we were 99.999% sure was happening. Each Cisco AP maintains a list of associations. The list of associations includes clients as well as ALL APs in the same broadcast domain. I believe it has something to do with handoffs and such or maybe just informational traffic, I am not sure. In any case we had 331 APs but only a small handful of clients. The APs were getting creamed by trying to keep track of 330 of their buddies as well as their buddies client associations. That was the major flaw. Cisco said if we HAD to we should split up the management vlan so there were not 331 in the same broadcast domain but leave the client vlans alone. We did this as a short term fix. To compound this, someone (not me) told us at that time Wavelink was the only way to go for management. We went with it to find the following problem. One of the things it did was to periodically (5-15 mins or so) poll each access point to include it's association table. Well, here you go with 330 entries from each and every of the 330 APs in addition to the APs config itself. Needless to say both of these issues caused a bit of what I would say was excessive management traffic. I can not remember the protocol name but if you do a sniff where you can see layer 2 management traffic between the APs it should be pretty obvious. I would look to see if WLSE is doing some sort of unexpected query of the APs that may cause a larger than reasonable response. Hope this gets you somewhere. _ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 --Seek first to understand, and then to be understood. (Steven Covey) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, March 13, 2006 12:48 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Theories on a massive problem on our WLAN? Wondering if anyone in the group cares to hazard a theory. Our Cisco WLAN has been quite stable for better than three years. Currently running *180* 1130s, *120* 1200s, and a couple dozen 350s- mostly IOS but a couple of legacy VxWorks that are hard to get to to convert. We have the clasic DMZ/Captive portal thing going on, where a home-built gateway head-ends each of our two major wireless spaces, with an optional VPN box for each space. We do trunk specific VLANs around for each space. WLSE manages it all, no WLSM, no forced client encryption (other than voluntary VPN). IOS APs are current and all within 2 minor revisions of each other, and have been cruising along nicely for quite a while. This past Saturday, very early in the morning, one of our wireless spaces was creamed by some sort of broad-ranging, severe multicast flood. Long story short- it seemed like the APs were chattering back and forth to each other with huge, continuous, multicast streams that overwhelmed many of the switches carrying the traffic. Once it started, it seemed to be self-propogating. We had to put in some ACLs to break things up, and in some cases reboot the switches. Cat 3500s seem to take the worst of it, and a couple got corrupted to the point of becoming doorstops. Knowing that it's hard to see the whole picture from afar, wondering if anyone has ever experienced anything like this? Thanks for playing the game. Lee Lee Badman Network Engineer CWNA, CWSP Information Technology and Services (Formerly Computing and Media Services) Syracuse University (315) 443-3003 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Problems with 802.1x with hidden SSID
Please reply to list or include me as we would be very interested in this also. Thanks in advance! _ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 --Seek first to understand, and then to be understood. (Steven Covey) -Original Message- From: Tom Zeller [mailto:[EMAIL PROTECTED] Sent: Monday, February 27, 2006 3:29 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Problems with 802.1x with hidden SSID Our APs can only broadcast a single SSID (Proxim 600s and HP 420s). To minimize disruption we're looking at running a new 802.1x wireless network in parallel with the old VPN-protected network. What we're seeing isn't so pretty. Very unreliable getting a connection with both Mac and PC though it works well once connected. Using the same laptops with a test of broadcast SSID and they both connected reliably and much faster. If anyone has any ideas that this can NEVER work, or that you are in fact doing this, I'd be interested in hearing about it. Tom Zeller Indiana University [EMAIL PROTECTED] 812-855-6214 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x- Who's doing it and how far along
Please either respond to the list or include me in the results. -we are not using 802.1x in any manner (wired or wireless) -na -na -wireless was in place when I got here so I do not know if 1x was considered. We use bluesocket so basically we give the wireless connection for free (to coin a phrase) but then require login to go anywhere, even our own webserver. We have it limited to 80 and 443 so we do not require any encryption at this time. Please no one respond to me about how bad it is to allow all that traffic unencrypted. We only recently had a real mechanism for authenticating students so will be having a real project to decide on a wireless network architecture including security and authentication in the near future. Hope that was brief enough (brevity is a struggle for me :) _ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 8:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.1x- Who's doing it and how far along Knowing that this can be a large topic, will try to keep the questions simple for all: - How many of you are using 802.1x as your primary production wireless security mechanism? - EAP type(s)? - RADIUS type? - Has anybody started down the 802.1x road, then bailed out with no intention of going back to it? Why? That's all! Trying to keep it brief for everyon'e sake while still gathering what I need... Regards- Lee Lee H. Badman Network Engineer CWSP, CWNA (CWNP011288) Computing and Media Services (NSS) 250 Machinery Hall Syracuse University Syracuse, NY 13244 (315) 443-3003 Voice (315) 443-1621 Fax ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1x- Who's doing it and how far along
Cully, Have you found any issue with certain client platforms not behaving well? Any workarounds needed for certain clients (Mac, Linux, etc?) _ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 -Original Message- From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 9:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x- Who's doing it and how far along We've been doing 1x for about two and a half years now. We are using EAP-PEAP with MS-CHAPv2 and Microsoft's IAS Server as our RADIUS server. Also, for the past six to eight months we have been using 1x to delegate different policies to users based on Active Directory group membership. Cully Bennefield Baylor University -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 7:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.1x- Who's doing it and how far along Knowing that this can be a large topic, will try to keep the questions simple for all: - How many of you are using 802.1x as your primary production wireless security mechanism? - EAP type(s)? - RADIUS type? - Has anybody started down the 802.1x road, then bailed out with no intention of going back to it? Why? That's all! Trying to keep it brief for everyon'e sake while still gathering what I need... Regards- Lee Lee H. Badman Network Engineer CWSP, CWNA (CWNP011288) Computing and Media Services (NSS) 250 Machinery Hall Syracuse University Syracuse, NY 13244 (315) 443-3003 Voice (315) 443-1621 Fax ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Rogue Detection in Dorms...
I believe that is Sascha's point. They can not necessarily connect it to the campus owned network. That is within our rights to say. But what about even forbidding the running of the AP. Why would the student want an AP that is not connected to the network? Who cares, when drafting a policy that stands on the foundation of running unlicensed equipment it is bound to be fought. However, basing it on what can be connected to the network is relatively easy. This is what we currently do in our CNUP. http://www.keene.edu/policy/cnup.cfm http://www.keene.edu/it/security/connect.cfm _ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 -Original Message- From: Zeller, Tom S [mailto:[EMAIL PROTECTED] Sent: Friday, January 06, 2006 11:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Rogue Detection in Dorms... I don't agree with this analysis. Students may have the right to use the spectrum on their personal network. I don't believe they have an inherent right to broadcast the university's network out into the dorm parking lot. [I'm not a lawyer, but I could play one on TV] Tom Zeller Indiana University -Original Message- From: Sascha Meinrath [mailto:[EMAIL PROTECTED] Sent: Friday, January 06, 2006 11:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Rogue Detection in Dorms... Hi all, Date:Thu, 5 Jan 2006 08:12:21 -0500 From:Lee Badman [EMAIL PROTECTED] Subject: Re: Rouge Detection in Dorms I know that we found that finding rogues is almost meaningless if there = isn't strong policy to back up their removal and banishment. We get = push-back that the students' rooms are their homes, and in their homes = they should be able to do their own wireless, etc... That notion gets = weaker if you have wireless everywhere, but still the written policy with = senior management sponsorship and very clear communication to students = that such devices aren't allowed needs to be in place- just as important = as any software or tools.=20 I still toy with this idea- through the wire detection- as much as (or in = concert with) a sensor-based solution: www.wimetrics.com=20 I suspect that rogue suppression and elimination of unlicensed devices from student's dorms is a practice that is without legal protection and would seriously caution any University from engaging in this practice. It's one thing to prevent connection to your network of unauthorized devices (which is clearly within a network administrators rights), but it's quite another to remove or banish unlicensed devices outright. It's not so much that that students rooms are their homes as that no one has any exclusive property rights to unlicensed frequencies -- everything from clarifying statements from the FCC and the OTARD rules back up students' rights to buy, deploy, and use unlicensed devices wherever they choose. If there are any telecom lawyers on this list, I would love to hear some clarification on the legal ramifications of enforcing a banning and removal of unlicensed devices, but I anticipate that the law will back up the students rights to utilize these devices. --Sascha -- Sascha Meinrath Policy Analyst* Project Coordinator * President Free Press *** CUWiN *** Acorn Active Media www.freepress.net * www.cuwireless.net * www.acornactivemedia.com ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Wireless Charges
We are moving to include wireless access in our charge back model. Currently we charge for active data jacks so at this time any installed wireless access points get charged only at the rate for the single data jack required for the AP. We do not charge by IP, user, or connected computer: if it has a connection to a switch, it is paid for at a flat monthly rate. We would appreciate any information on how other schools are handling charging for wireless access including how the charge was derived. Thanks in advance _ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
